auristorfs_key_rotation - AuriStorFS Key Rotation Using Acceptor Only Keys
Key rotation can be difficult because there is a risk of a single point of failure if a shared key starts being used for new connections before all of the servers have knowledge of the key. AuriStorFS addresses these risks by introducing the concept of acceptor-only keys. Acceptor-only keys cannot be used to initiate new connections. Therefore, such keys can be safely distributed to servers without risk that the keys might be used before the accepting server has received its copy of the key.
The asetkey(8) add sub-command adds a key to /etc/yfs/server/KeyFileExt that can be used both for initating outgoing and accepting incoming connections. Adding a new key that can be used for initiating outgoing connections before the key is available on the accepting server can result in communication failures.
The asetkey(8) add-acceptor sub-command adds an acceptor-only key to /etc/yfs/server/KeyFileExt that will only be used when accepting connections. This makes it safe to add new keys without the risk that a service restart prior to the distribution of the updated /etc/yfs/server/KeyFileExt to all systems might result in the premature use of a new key to secure subsequent initiated connections.
After the /etc/yfs/server/KeyFileExt with the acceptor-only key has been deployed to all AuriStorFS servers and the /etc/yfs/server/yfs-server.conf file has been touched or the servers restarted, then the asetkey(8) promote-acceptor sub-command can be executed to convert the acceptor-only key to a normal key that can be used when initiating connections.
The asetkey(8) delete sub-command removes a key from /etc/yfs/server/KeyFileExt preventing it from being used for either initating outgoing or accepting incoming connections. Removing a key from a server that might be used by an initiating server can result in communication failures.
The asetkey(8) demote-to-acceptor sub-command converts a normal key to an acceptor-only key that will only be used when accepting connections. Once the key is acceptor-only on all servers it is safe to remove the key from /etc/yfs/server/KeyFileExt.
The key rotation pattern using acceptor-only keys is:
execute asetkey(8) add-acceptor to add a new acceptor-only key to /etc/yfs/server/KeyFileExt
on each server in the cell
deploy updated /etc/yfs/server/KeyFileExt
execute asetkey(8) promote-acceptor to promote the acceptor-only key to a normal key in /etc/yfs/server/KeyFileExt
on each server in the cell
deploy updated /etc/yfs/server/KeyFileExt
execute asetkey(8) demote-to-acceptor to convert the old key to an acceptor-only key in /etc/yfs/server/KeyFileExt
on each server in the cell
deploy updated /etc/yfs/server/KeyFileExt
wait until the demoted key is no longer in use, otherwise Rx connections created with the demoted key via tokens or localauth will fail to authenticate
execute asetkey(8) delete to remove the old acceptor-only key from /etc/yfs/server/KeyFileExt
on each server in the cell
deploy updated /etc/yfs/server/KeyFileExt
Note that this procedure only works for yfs-rxgk and rxkad_k5 keys. It will not work for rxkad keys (56-bit DES).
This procedure is not applicable to rotating the keys in the /etc/yfs/server/vl.keytab and /etc/yfs/server/bos.keytab Kerberos v5 keytabs. All keys stored in the Kerberos v5 keytab files are inherently acceptor-only. The procedure for rotating Kerberos v5 service principal keys in the Kerberos KDC is implementation specific.
KeyFileExt(5), asetkey(8), bos.keytab(5), vl.keytab(5), yfs-server.conf(5)
Copyright AuriStor, Inc. 2014-2021. https://www.auristor.com/ All Rights Reserved.
"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)
"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)
The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).
"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).
"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.